General

  • Target

    6fba36f968c9172ca0eb8f74a9a071488ab7ba8b3893619945c669c618c296a6

  • Size

    2.8MB

  • Sample

    220511-c86ggseac8

  • MD5

    891255ea3e3fca9af61b4c0eb48b8292

  • SHA1

    2325435aee0b456092b16f817d81fd1c8b320e3a

  • SHA256

    6fba36f968c9172ca0eb8f74a9a071488ab7ba8b3893619945c669c618c296a6

  • SHA512

    9a5fa2dff01938e096be0be09538577528c1733f859aebbd33b782d6346808eb16c5f620804e0cf29519c8c5c4303b8b9cb48f41ab0fffef1dc9c5c5171858c1

Malware Config

Targets

    • Target

      6fba36f968c9172ca0eb8f74a9a071488ab7ba8b3893619945c669c618c296a6

    • Size

      2.8MB

    • MD5

      891255ea3e3fca9af61b4c0eb48b8292

    • SHA1

      2325435aee0b456092b16f817d81fd1c8b320e3a

    • SHA256

      6fba36f968c9172ca0eb8f74a9a071488ab7ba8b3893619945c669c618c296a6

    • SHA512

      9a5fa2dff01938e096be0be09538577528c1733f859aebbd33b782d6346808eb16c5f620804e0cf29519c8c5c4303b8b9cb48f41ab0fffef1dc9c5c5171858c1

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • BitRAT Payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks